Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 02:21
Static task
static1
Behavioral task
behavioral1
Sample
f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe
-
Size
744KB
-
MD5
f4d42c9b83b6f7e3c8d1e2ff96b897c1
-
SHA1
1cea4fff0af19daa401e740bea0e6b02b0b0158b
-
SHA256
f0a7b44e504644e7c5ffda139ee373c13da41703d91bf38e33bb5323c512b4b9
-
SHA512
6326ec8a07ec857b70114d9396d7ac253ebfccd56459c1525cf8844ae653bf5694cb309650bce08f58bec9ea00201a9a79e4a2185b7a5fe21a95fd732e67ccba
-
SSDEEP
12288:ji8tXVp5ApeNvTy/q5IsOha7HYx8k0/2YLLMt6AZp5:ji8pRApeNf5Sa7HYxBqLQtZZv
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2636 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2052 wWw.HeiKe.Hk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\wWw.HeiKe.Hk.exe f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe File created C:\Windows\61642520.BAT f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe File created C:\Windows\wWw.HeiKe.Hk.exe f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1672 f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe Token: SeDebugPrivilege 2052 wWw.HeiKe.Hk.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2052 wWw.HeiKe.Hk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2640 2052 wWw.HeiKe.Hk.exe 29 PID 2052 wrote to memory of 2640 2052 wWw.HeiKe.Hk.exe 29 PID 2052 wrote to memory of 2640 2052 wWw.HeiKe.Hk.exe 29 PID 2052 wrote to memory of 2640 2052 wWw.HeiKe.Hk.exe 29 PID 1672 wrote to memory of 2636 1672 f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe 30 PID 1672 wrote to memory of 2636 1672 f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe 30 PID 1672 wrote to memory of 2636 1672 f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe 30 PID 1672 wrote to memory of 2636 1672 f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4d42c9b83b6f7e3c8d1e2ff96b897c1_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\61642520.BAT2⤵
- Deletes itself
PID:2636
-
-
C:\Windows\wWw.HeiKe.Hk.exeC:\Windows\wWw.HeiKe.Hk.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2640
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD58e6282cabce7531c942f71cd6e268ab3
SHA1025d1049607f3dac1e5d3994806c67a85d145c41
SHA25648c088aa10c109bdda94bc429b58d0edc56c7db9760006821172e66886749669
SHA512aad18328ecf2116cc54fe5ea1f2caebee4f1cd1fcf1d498d39fa81f2f21ee51cc805bf238a7e63b32d49926ffc269258cff0362ee90e3e9e5ed5664f6b0a6f1d
-
Filesize
744KB
MD5f4d42c9b83b6f7e3c8d1e2ff96b897c1
SHA11cea4fff0af19daa401e740bea0e6b02b0b0158b
SHA256f0a7b44e504644e7c5ffda139ee373c13da41703d91bf38e33bb5323c512b4b9
SHA5126326ec8a07ec857b70114d9396d7ac253ebfccd56459c1525cf8844ae653bf5694cb309650bce08f58bec9ea00201a9a79e4a2185b7a5fe21a95fd732e67ccba